[exim] Re: Fixing or disabling TLS for internal network host…

Top Page
Delete this message
Reply to this message
Author: AC
Date:  
To: exim-users
Subject: [exim] Re: Fixing or disabling TLS for internal network hosts
On 2023-10-07 18:55, Ian Z via Exim-users wrote:
> On Sat, Oct 07, 2023 at 04:10:24PM -0700, AC via Exim-users wrote:
>
>> The internal hosts are running self-signed certificates. So is there
>> a way to either make the self-signed certificates acceptable to the
>> main Exim server or otherwise disable the use of TLS by either the
>> internal servers or configuring the main server to not advertise TLS
>> to the internal hosts?
>
> tls_advertise_hosts main config option should answer the second half
> of your question. I don't quite understand the first half, though.
> Why does your main server care about the client's certificates? Do
> you set tls_verify_hosts or tls_try_verify_hosts? By default these
> options are unset, so client certificate signatures don't matter.
>
> Is it possible that the messages are caused by something else than
> missing signature verification? Can you show the exact error messages?
>


The error message on the main server is:
TLS error on connection from [host] (recv): A TLS fatal alert has been
received.: Certificate is bad

These are the related settings according to -bP

tls_advertise_hosts = *
tls_try_verify_hosts =
tls_verify_certificates = ${if
exists{/etc/ssl/certs/ca-certificates.crt}{/etc/ssl/certs/ca-certificates.crt}{/dev/null}}
tls_verify_hosts =

I have the advertise set to * for incoming mail from the public side but
the rest are empty. How would I alter this to not advertise TLS to the
internal hosts and still advertise to all other hosts?

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/